[研究]ASP.NET WebForm 網站 OWASP ZAP 2.16.1 發現【CSP: Failure to Define Directive with No Fallback】弱點，該如何解 ?

[研究]ASP.NET WebForm 網站 OWASP ZAP 2.16.1 發現【CSP: Failure to Define Directive with No Fallback】弱點，該如何解 ?

2025-07-08

環境：Visual Studio 2022 + ASP.NET + WebForm + Web Application + C# + SQL Server 2019 + SQL Server Management Studio (SSMS) 20

********************************************************************************

續這篇

[研究]ASP.NET WebForm 網站用 OWASP ZAP 2.16.1 掃描發現【Content Security Policy (CSP) Header Not Set】弱點，該如何解 ?

https://shaurong.blogspot.com/2025/07/aspnet-webform-owasp-zap-2161-content.html

ASP.NET WebForm 網站 OWASP ZAP發現【CSP: Failure to Define Directive with No Fallback】弱點

證據

default-src 'self'; script-src 'self' https://www.google.com https://www.gstatic.com; style-src 'self' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data:;frame-src 'self' https://www.google.com;

說明

The Content Security Policy fails to define one of the directives that has no fallback. Missing/excluding them is the same as allowing anything.

解決方案

Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.

ChatGPT 說：

❗ 問題在於：

以下這些高風險指令未設定，建議加上（哪怕是嚴格限制）：

指令 說明

object-src 控制 <object>、Flash、Java Applet 等老舊技術

base-uri 控制 <base> 標籤，避免 URL 重導到惡意站

form-action 控制 <form action> 目標，避免送出資料到惡意站點

✅ 建議修改後的 CSP：

在 ASP.NET WebForm 的 Global.asax.cs 裡：

protected void Application_BeginRequest(object sender, EventArgs e) { Response.Headers.Add("Content-Security-Policy", "default-src 'self'; " + "script-src 'self' https://www.google.com https://www.gstatic.com; " + "style-src 'self' https://fonts.googleapis.com; " + "font-src 'self' https://fonts.gstatic.com; " + "img-src 'self' data:; " + "frame-src 'self' https://www.google.com; " + "object-src 'none'; " + "base-uri 'self'; " + "form-action 'self';" ); }

後來問題依舊，幾番和 ChatGPT 討論和測試，依然有相同問題，暫時擱置。

(完)

相關